RFP Sast: SWOT Analysis: Checkmarx

Download as pdf or txt
Download as pdf or txt
You are on page 1of 5

RFP_SAST.

md 28/06/2022

RFP SAST

SWOT Analysis: Checkmarx

Strengths

* Checkmarx is a Leader in this Magic Quadrant -> Implies money further


development an progress
* Competitive ... where SAST is a high priority.
* Checkmarx has strong developer enablement

Weakness

* Customers cite high costs

Opportunities

* None

Threats

* Possibilty to switch to a SAAS only Service

SWOT Analysis: Github

Strengths

* GitHub’s primary focus is on SAST


* many security functions are included at no extra cost for public
repositories
* Tight integration with GitHub Actions and the GitHub source code
repository
* Checks cause, code paths, consequences, CVE's and suggested fixes
* Checks issues with open-source package

1/5
RFP_SAST.md 28/06/2022

* Automated pull request to remediate an open-source flaw


* Developer enablement is good

Weakness

* Essentially limited to developers working in the context of GitHub itself


* Comparatively limited language support

Opportunities

* Ease of use for GitHub users -> Github is well adopted by dev's
* Results are displayed during a pull request -> Continuos check's
* GitHub code scanning can import SARIF from any other SAST tool

Threats

* Some tools may entail extra cost


* The product’s focus is on the native GitHub platform

SWOT Analysis: Microfocus

Strengths

* Fortify products provide comprehensive AST, with broad language coverage


and a range of customization and integration options
* One of the most complete AST offerings
* Windows, Linux, and MacOSX
* ABAP/BSP, ActionScript/MXML (Flex), APEX, ASP.NET, VB.NET, C\# (.NET),
C/C++, Classic ASP (w/VBScript), COBOL, ColdFusion CFML, Go, HTML, Java
(including Android), JavaScript/AJAX, JSP, Kotlin, Objective-C, PHP,
PL/SQL, Python, Typescript, T-SQL, Ruby, Scala, Swift, Visual Basic
(VB.NET), Visual Basic 6, VBScript, XML

Weakness

* Pricing remains complicated and expensive

2/5
RFP_SAST.md 28/06/2022

Opportunities

* Real-time security checker that operates within the IDE


* A completely in-band automated triaging of findings

Threats

* Complexity and volume of unfiltered results

SWOT Analysis: Snyk

Strengths

* Real-time feedback in the IDE


* AST capabilities are mature and granular
* Detailed information about identified vulnerabilities
* Automated remediation advice
* Checks if the vulnerability is actually reachable inside the code
* Offering is predictable and prices are publicly available for up to 150
user
* Learn and fix vulnerabilities in open source dependencies
* Check for hard coded secrets
* Check forcoding issues such as dead code
* Check for type inference
* Check for division-by-zero
* Check for null dereference
* Check for data flow issues
* Check for API misuse
* Check for race conditions
* Check for type mismatches
* Integration into IDE, Git, CI/CD.

Weakness

* Doesn’t provide SAST for iOS applications

Opportunities

* Extensive knowledge of developer environments and a developer-friendly


approach
3/5
RFP_SAST.md 28/06/2022

* ML-based scanning of interpreted code


* In your application code
* In container images
* Insecure configurations in Terraform and Kubernetes

Threats

* None

SWOT Analysis: WhiteHat Security

Strengths

* Has a consistent level of quality and ease of use across its toolset

Weakness

* UI and reporting tools could use some refinement

Opportunities

* None

Threats

* Market seems to be moving very quickly toward newer technologies that


support containers and “modern” development styles
* Customers report that scanning isn’t as fast as they had expected

Conclusion

Integrating security into DevOps is a delicate challenge for AppSec professionals. However, one thing is for
certain: if developers are asked to scan their code and the tool that they’re provided with doesn’t deliver fast
frictionless results, they’ll be less inclined to use it or resist it altogether. By providing the fastest scans
possible, friction can be eased and adoption accelerated, improving the relationship between developers and
4/5
RFP_SAST.md 28/06/2022

AppSec teams. That's why WhiteHat Security will not be considered. Github is also out of race since is to tight
with there own ecosystem. The solution must run on premise with our gitlab instance. Since our data
regulations require that the code does not leave the university servers, snyk is also out of the running. The
two remaining candidates are Checkmarks and Microfocus.

Proposal for PoC

Both candidate are very promising but in the end we choose just one for the PoC. Microfocus and
Checkmarks are both comparable in its features and results. Our regulations demand that the code stay's
inhouse. So the solution has to be completly on premise. The announcement of Checkmarks that the could go
the Saas only is a no go.

That's why we choose Microfocus Fortify as our PoC Canditate.

5/5

You might also like